Home
2020-08-25
2020-09-25
2020-10-25
2020-11-25
2020-12-25
2021-01-25
2021-02-25
| Points | Level | Category | Model | RiskId | Rationale | LastAppearance |
|---|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 | 2020-11-25 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 | 2020-12-25 |
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 | 2020-10-25 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 | 2020-12-25 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC | 2021-01-25 |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 | 2020-11-25 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 | 2021-01-25 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 | 2020-10-25 |
| 20 | 3 | PrivilegedAccounts | AccountTakeOver | P-Delegated | Presence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8 | 2020-08-25 |
| 20 | 2 | Anomalies | GoldenTicket | A-Krbtgt | Last change of the Kerberos password: 533 day(s) ago | 2020-08-25 |
| 15 | 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin | 2020-09-25 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory | 2020-12-25 |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 | 2020-10-25 |
| 15 | 3 | Anomalies | Backup | A-BackupMetadata | Last AD backup has been performed 3096 day(s) ago | 2020-08-25 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 | 2021-01-25 |
| 10 | 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 | 2020-09-25 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group | 2020-10-25 |
| 10 | 3 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain | 2020-12-25 |
| 10 | 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. | 2020-09-25 |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC | 2020-10-25 |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature | 2021-01-25 |
| 5 | 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. | 2020-09-25 |
| 5 | 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 | 2020-09-25 |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 | 2020-11-25 |
| Points | Level | Category | Model | RiskId | Rationale | LastAppearance |
| Date | Maturity | Global score | Total score | Anomalies | Privileged Accounts | Stale Objects | Trusts |
|---|---|---|---|---|---|---|---|
| 2020-08-25 | 1 | 100 | 766 | 184 | 360 | 97 | 125 |
| 2020-09-25 | 1 | 100 | 711 | 149 | 340 | 97 | 125 |
| 2020-10-25 | 1 | 100 | 666 | 134 | 325 | 82 | 125 |
| 2020-11-25 | 1 | 100 | 556 | 134 | 275 | 72 | 75 |
| 2020-12-25 | 1 | 100 | 460 | 134 | 185 | 66 | 75 |
| 2021-01-25 | 1 | 100 | 325 | 74 | 185 | 41 | 25 |
| 2021-02-25 | 1 | 100 | 240 | 59 | 110 | 46 | 25 |
| Date | Maturity | Global score | Total score | Anomalies | Privileged Accounts | Stale Objects | Trusts |
| Level | Category | Model | RiskId | Rationale | 2021-02-25 | 2021-01-25 | 2020-12-25 | 2020-11-25 | 2020-10-25 | 2020-09-25 | 2020-08-25 |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. | 10 | 10 | |||||
| 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 3 | Anomalies | Backup | A-BackupMetadata | Last AD backup has been performed 3096 day(s) ago | 15 | ||||||
| 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. | 10 | 10 | 10 | 10 | 10 | 10 | 10 |
| 2 | Anomalies | GoldenTicket | A-Krbtgt | Last change of the Kerberos password: 533 day(s) ago | 20 | ||||||
| 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature | 5 | 5 | 5 | 5 | 5 | 5 | |
| 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 | 10 | 10 | 10 | 10 | 10 | 10 | 10 |
| 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 | 10 | 10 | 10 | 10 | 10 | 10 | |
| 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. | 5 | 5 | |||||
| 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group | 2 | 2 | 2 | 2 | 2 | 2 | 2 |
| 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 | 60 | 60 | 60 | 60 | 60 | ||
| 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 | 30 | 30 | 30 | 30 | 30 | 30 | 30 |
| 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 | 10 | 10 | 10 | 10 | 10 | 10 | 10 |
| 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. | 25 | 25 | 25 | 25 | 25 | 25 | 25 |
| 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group | 10 | 10 | 10 | ||||
| 3 | PrivilegedAccounts | AccountTakeOver | P-Delegated | Presence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8 | 20 | ||||||
| 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 | 25 | 25 | 25 | ||||
| 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 | 30 | 30 | 30 | 30 | |||
| 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 | 45 | 45 | 45 | 45 | 45 | 45 | 45 |
| 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 | 30 | 30 | 30 | 30 | 30 | 30 | |
| 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC | 45 | 45 | 45 | 45 | 45 | 45 | |
| 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 | 60 | 60 | 60 | 60 | |||
| 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin | 15 | 15 | |||||
| 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) | 10 | 10 | 10 | 10 | 10 | 10 | 10 |
| 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 | 15 | 15 | 15 | ||||
| 3 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain | 10 | 10 | 10 | 10 | 10 | ||
| 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 | 15 | 15 | 15 | 15 | 15 | 15 | 15 |
| 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 | 5 | 5 | 5 | 5 | 5 | ||
| 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 | 15 | 15 | 15 | 15 | 15 | 15 | 15 |
| 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 | 10 | 10 | |||||
| 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 | 5 | 5 | 5 | 5 | 5 | 5 | 5 |
| 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 | 5 | 5 | |||||
| 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 |
| 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 | 1 | 1 | 1 | 1 | |||
| 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory | 15 | 15 | 15 | 15 | 15 | ||
| 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC | 10 | 10 | 10 | ||||
| 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 | 20 | 20 | 20 | 20 | 20 | 20 | 20 |
| 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 | 50 | 50 | 50 | ||||
| 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 | 50 | 50 | 50 | 50 | 50 | ||
| Level | Category | Model | RiskId | Rationale | 2021-02-25 | 2021-01-25 | 2020-12-25 | 2020-11-25 | 2020-10-25 | 2020-09-25 | 2020-08-25 |
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
Risk rules resolved
| Name |
|---|
| No data available to display. |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 3 | PrivilegedAccounts | AccountTakeOver | P-Delegated | Presence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8 |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 20 | 2 | Anomalies | GoldenTicket | A-Krbtgt | Last change of the Kerberos password: 533 day(s) ago |
| 15 | 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 |
| 15 | 3 | Anomalies | Backup | A-BackupMetadata | Last AD backup has been performed 3096 day(s) ago |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 3 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 10 | 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 20 | 3 | PrivilegedAccounts | AccountTakeOver | P-Delegated | Presence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8 |
| 20 | 2 | Anomalies | GoldenTicket | A-Krbtgt | Last change of the Kerberos password: 533 day(s) ago |
| 15 | 3 | Anomalies | Backup | A-BackupMetadata | Last AD backup has been performed 3096 day(s) ago |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 3 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 10 | 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 15 | 2 | PrivilegedAccounts | ACLCheck | P-RecoveryModeUnprotected | At least one GPO grant the right to get in the recovery mode without being admin |
| 10 | 1 | StaleObjects | Provisioning | S-DCRegistration | Number of DC with a configuration issue: 1 |
| 10 | 3 | Anomalies | Audit | A-AuditDC | The audit policy on domain controllers does not collect key events. |
| 5 | 2 | Anomalies | Reconnaissance | A-PreWin2000Anonymous | The group Everyone and/or Anonymous is present in the Pre-Windows 2000 group. |
| 5 | 2 | StaleObjects | ObsoleteOS | S-OS-2008 | Presence of Windows 2008 = 1 |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 3 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 50 | 1 | Trusts | SIDFiltering | T-SIDFiltering | Number of trusts without SID Filtering: 1 |
| 25 | 1 | PrivilegedAccounts | DelegationCheck | P-DelegationDCa2d2 | Number of DC with a contrained delegation: 1 |
| 15 | 4 | PrivilegedAccounts | DelegationCheck | P-UnkownDelegation | Presence of unknown account in delegation: 1 |
| 10 | 3 | PrivilegedAccounts | ACLCheck | P-DCOwner | 1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group |
| 10 | 3 | StaleObjects | OldAuthenticationProtocols | S-SMB-v1 | SMB v1 activated on 1 DC |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 3 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 2 | PrivilegedAccounts | PrivilegeControl | P-PrivilegeEveryone | Number of privileges granted by GPO to any user: 4 |
| 30 | 2 | PrivilegedAccounts | DelegationCheck | P-DelegationEveryone | Presence of delegation where anybody can act: 2 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 1 | 2 | StaleObjects | ObjectConfig | S-PwdNeverExpires | Number of accounts which has never-expiring passwords: 4 |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 10 | 3 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 60 | 1 | Anomalies | PasswordRetrieval | A-PwdGPO | Number of password(s) found in GPO: 3 |
| 50 | 3 | Trusts | SIDHistory | T-SIDHistorySameDomain | Account(s) with SID History matching the domain = 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-SIDHistory | 1 domain(s) used in SIDHistory |
| 10 | 3 | StaleObjects | Provisioning | S-ADRegistration | Non-admin users can add up to 10 computer(s) to a domain |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Name |
|---|
| No data available to display. |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories
Risk rules resolved
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 45 | 1 | PrivilegedAccounts | ACLCheck | P-LoginDCEveryone | Anyone can interactively or remotely login to a DC |
| 30 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationLoginScript | Number of login scripts that can be modified by any user: 2 |
| 10 | 2 | Anomalies | Reconnaissance | A-NullSession | Number of DC(s) with NULL SESSION enabled: 1 |
| 5 | 3 | Anomalies | NetworkSniffing | A-LDAPSigningDisabled | At least one GPO disables explicitly LDAP client signature |
| Points | Level | Category | Model | RiskId | Rationale |
New risk rules triggered
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| Points | Level | Category | Model | RiskId | Rationale |
| Points | Level | Category | Model | RiskId | Rationale |
|---|---|---|---|---|---|
| 45 | 2 | PrivilegedAccounts | ACLCheck | P-DelegationGPOData | Number of GPO items that can be modified by any user: 3 |
| 30 | 3 | Anomalies | PassTheCredential | A-SmartCardRequired | Number of account(s) using a smart card whose password is not changed: 1 |
| 25 | 1 | PrivilegedAccounts | ControlPath | P-ControlPathIndirectEveryone | Everyone can take control of a key domain object by abusing targeted permissions. |
| 20 | 2 | Trusts | TrustInactive | T-Inactive | At least one inactive trust has been found: 2 |
| 15 | 3 | StaleObjects | ObjectConfig | S-C-PrimaryGroup | Presence of wrong primary group for computers: 1 |
| 15 | 1 | StaleObjects | VulnerabilityManagement | S-DC-NotUpdated | Number of DC not updated = 1 |
| 10 | 2 | Anomalies | WeakPassword | A-MinPwdLen | Policy where the password length is less than 8 characters: 2 |
| 10 | 1 | PrivilegedAccounts | AccountTakeOver | P-AdminPwdTooOld | Number of admin with a password older than 3 years: 5 |
| 5 | 1 | StaleObjects | InactiveUserOrComputer | S-DC-Inactive | Number of DC inactive: 1 |
| 10 | 3 | Anomalies | CertificateTakeOver | A-DCLdapsProtocol | At least one DC uses a weak SSL protocol for server side purposes. |
| 10 | 3 | PrivilegedAccounts | IrreversibleChange | P-SchemaAdmin | The group Schema Admins is not empty: 2 account(s) |
| 5 | 4 | PrivilegedAccounts | ACLCheck | P-DNSAdmin | Number of members of the Dns Admins group: 1 |
| 5 | 1 | PrivilegedAccounts | AccountTakeOver | P-Kerberoasting | At least one member of an admin group is vulnerable to the kerberoast attack. |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCAllowedGroup | The Allowed RODC Password Replication Group group is not empty |
| 5 | 3 | PrivilegedAccounts | RODC | P-RODCDeniedGroup | The Denied RODC Password Replication Group group has some of its default members missing |
| 5 | 1 | StaleObjects | ObsoleteOS | S-DC-2008 | Presence of Windows 2008 as DC = 1 |
| 5 | 1 | Anomalies | NetworkSniffing | A-LMHashAuthorized | At least one policy has been found where the LM hash can be used [1] |
| 5 | 1 | StaleObjects | ObjectConfig | S-NoPreAuthAdmin | Number of admin accounts which do not require kerberos pre-authentication: 1 |
| 5 | 3 | Trusts | SIDHistory | S-Domain$$$ | The SIDHistory auditing group is present: SID History creation is enabled |
| 2 | 3 | Anomalies | Reconnaissance | A-PreWin2000Other | At least one user, computer or group has been added as a member to the PreWin2000 compatible group |
| 1 | 3 | Anomalies | CertificateTakeOver | A-WeakRSARootCert2 | At least one trusted certificate found has a relatively weak RSA key [4] |
| 1 | 3 | Anomalies | CertificateTakeOver | A-SHA1IntermediateCert | At least one trusted INTERMEDIATE certificate found has a SHA1 signature [6] |
| 1 | 2 | StaleObjects | ObsoleteOS | S-OS-Win7 | Presence of Windows 7 = 1 |
| 0 | 3 | Anomalies | CertificateTakeOver | A-SHA1RootCert | At least one trusted ROOT certificate found has a SHA1 signature [11] |
| 0 | 3 | Anomalies | PasswordRetrieval | A-UnixPwd | At least one user has an attribute set which is known to potentially contains a password |
| 0 | 3 | Anomalies | PassTheCredential | A-ProtectedUsers | The Protected Users group doesn't exist on the domain. |
| 0 | 3 | PrivilegedAccounts | AdminControl | P-OperatorsEmpty | 1 operator group(s) are not empty |
| 0 | 4 | Anomalies | WeakPassword | A-NoServicePolicy | No password policy for service account found (MinimumPasswordLength>=20) |
| 0 | 3 | Anomalies | Audit | A-AuditPowershell | The powershell audit configuration is not fully enabled. |
| 0 | 4 | Anomalies | Reconnaissance | A-NoNetSessionHardening | No GPO has been found which implements NetCease |
| Points | Level | Category | Model | RiskId | Rationale |
